Security flaws exposed at Washington, D.C. airports

The Metropolitan Washington Airport Authority (MWAA) earlier this year published a document to its website containing sensitive security information that terrorists could potentially have used to launch cyber and physical attacks against Reagan National and Dulles International airports in Washington, D.C.

The document is a Statement of Work (SOW) published as part of a process to solicit contractors for electronic security maintenance, repair, modification, and installation services at the airports. Since being contacted for this article, the MWAA has removed information from the document that it deemed sensitive.

Rob Yingling, a spokesperson for the MWAA, acknowledges that he could not be certain exactly how long the SOW was available on the public Internet. He says SOW documents for contractors are typically published for temporary periods, but the length of each varies depending on the services the solicitation seeks.

A solicitation for the project dated March 2, 2012 gives an April 4 deadline for questions about the project. On Sept. 19, the same day the MWAA issued a statement declaring the sensitive information was removed from the document, the MWAA's board of directors approved a contract for the security services to TYCO Integrated Security, Yingling says.

Statement of work documents are often made available online. Several federal agencies, such as the Government Services Agency and the Centers for Medicare & Medicaid Services, publish their SOWs for construction projects regularly. However, the MWAA acknowledged that the documents need to be screened for sensitive information before being published.

"To ensure a wide range of competitive bids for the contracts we award, the Airports Authority routinely posts procurement documents online," according to a statement the MWAA provided to Network World. "The referenced contract has completed the procurement process, and therefore documents have been removed from our website. We agree postings of this type need to be fully vetted and only contain releasable information pertaining to the solicitation in question."

Matthijs Koot, an independent security researcher from the Netherlands, first voiced his concerns after spotting the document in a popular online disclosure forum. At first glance, the document appeared to be little more than a general rundown of maintenance projects typical of SOWs. Further examination, however, left Koot alarmed over the level of detail regarding hardware and configuration of sensitive security systems.

"The words 'airport' and 'electronic systems security' hit my curiosity bone," Koot says. "I skimmed through the file and noticed it contains a lot of details about security procedures, such as schedules for testing the alarm system and how security information is communicated."

The document included a detailed map of Ronald Reagan Washington National Airport, a diagram of the entire electronic security system - including connection and protocol details for key components - and an outline of which COTS hardware/software are used, down to the router brands and types.

After reviewing the document, Koot asked for a second opinion from a senior-level U.S. military cybersecurity specialist and former leader of a military Red Team that challenged government systems to identify weaknesses.

Though he only agreed to speak on the condition of anonymity, the specialist says the document contained "exactly the type of open source information that the team and I were always looking for in order to lay the groundwork for targeting of a system."

Others agree. After reviewing the SOW, Scot Terban, who performs penetration testing, incident response, forensics, and information security auditing at an aerospace company, says "all you'd need to really set up a nice hacking attack on Reagan and Dulles is in there." That includes the number and location of surveillance cameras, the operating systems used at the airports, the types of switching, routing and networking hardware used, network logic diagrams and data flows, and the locations of RFID readers.

"It is also important to note that in this document set, they state that the work being done will allow for access to the codes for the airport facilities," Terban says. "So once in [the] clear, the attacker would have access to pretty much the keys to the kingdom at both airports."

To better understand what the information contained in the SOW could be used for from an attacker's perspective, an experienced hacker familiar with penetration testing and the techniques employed in undermining network security systems was consulted. Given the sensitive nature of the information, the source preferred to remain unnamed.

The hacker explained that anyone launching an attack could spend months gathering the necessary information. With the SOW, "someone decided to do all this work for me," he says.

Bureaucratic finger-pointing

The difficulty involved with reporting the issue to federal authorities raised additional concerns. The military cybersecurity specialist contacted the Department of Homeland Security shortly after reviewing the document. However, because the airports are classified as civilian facilities, his reporting was limited to a phone-based system developed as part of Secretary Janet Napolitano's "If You See Something, Say Something" campaign.

"DHS uses a multi-tiered system to accept reports. I am sure they are inundated with information, so the first line of operators are there simply to take down as much information as possible as it relates to the issue at hand," the specialist says. "From my experience, this first level had no technical expertise and was not there to evaluate as much as to simply record and report."

Two weeks after initially reporting the document, the specialist was contacted by TSA customer service representatives. Even after the specialist stated his position in the military and reiterated his concern over the information contained in the SOW, TSA officials informed him that they did not consider the document sensitive in nature. No further action involving the SOW was required, the TSA told him.

Responding to a separate inquiry months later, a TSA representative told Network World the matter was the responsibility of the MWAA, adding that "airports are responsible for airport security."

The military specialist who initially reported the security risks to the TSA says the inconsistency with which the two agencies responded revealed some "operational gaps and seams." These weaknesses are what adversaries often target when trying to launch an attack, "because it's usually at your seams where you're the weakest, as far as your staff is concerned," the specialist says.

Furthermore, the specialist expressed concern in the lack of oversight and accountability involving the document. The MWAA and many other airport authorities across the country regularly post similar SOW documents to the Internet. This one happened to be published with sensitive electronic security information that TSA agents either deemed harmless or counted on civilians to report. The document, as a result, was not altered until civilians contacted the responsible party directly.

After this chain of events, the specialist says the TSA would likely be held responsible by the U.S. public in the event the vulnerabilities in the SOW had been exploited. In this case, the specialist says, security should trump jurisdiction.

"If something were to happen because of a breach of the security at the airfield itself that led to items or personnel being introduced to an aircraft or something happening, I think the majority of the U.S. population would point their finger at the TSA and not at the MWAA," he says. "I understand where they're coming from because, when you look at the charter of the TSA, I don't think any time they're responsible for the physical security or the infrastructure of the airport. But most people don't get that differentiation."

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.